Zumik
Security & compliance

Data privacy and retention

Metadata-only tracing by default, the trace privacy modes, retention profiles, encryption in transit and at rest, and no raw prompt logs.

Zumik collects the minimum needed to operate. Tracing defaults to metadata only, no raw prompt text is logged, and any richer mode is something you opt into explicitly.

Metadata-only by default

By default, traces store lengths, timing, fingerprints, lineage, and usage, never the prompt text. That is enough to run a workload diagnostic and report reuse, and it keeps the most sensitive data out of the platform entirely.

Trace privacy modes

Choose the mode per request on /v2, or with the Agent-Trace-Mode header on /v1. Higher fidelity is opt-in and tied to your retention policy.

ModeStored dataUse case
metadataLengths, timing, fingerprints, lineage, usageLow-risk diagnostics (default)
tokenizedToken IDs plus redacted metadataFaithful performance replay without plaintext
encrypted_full_fidelityEncrypted source payloads under customer-controlled policyOutput-quality evaluation

A fourth mode, synthetic, generates a structurally similar workload with no real content, for public benchmarking and stress tests. Raw prompt text is never retained by default in any mode you do not explicitly select.

Tokenized and full-fidelity modes exist so replay can faithfully reproduce a workload. They are deliberate choices recorded against your project, not a default.

Retention profiles

A project carries a retention profile that governs how long retained representations live and the purge guarantee class deletion can achieve for each processor. Retention, routing, and purge behavior are disclosed to you rather than left vague, because a purge claim can only be as strong as the underlying profile supports.

Provider-managed caches are a real limit here: some providers do not support active manual cache clearing, so a managed-provider profile exposes an expiry-bound guarantee instead of falsely claiming an immediate physical purge. See retention and purge for the guarantee classes and what each one means.

Encryption

  • In transit. TLS 1.2 minimum, TLS 1.3 preferred, everywhere. Deprecated algorithms (MD5, SHA-1, RC4, DES) are not used.
  • At rest. Data at rest is encrypted with AES-256-GCM or equivalent. BYOK provider keys are sealed with AES-256-GCM and decrypted only at execution time; the sealed nonce-and-ciphertext form is all that is ever persisted, and plaintext never touches the store or a log.
  • Internal fingerprints use HMAC-SHA256 with tenant-scoped keys. See tenant isolation.

Regional policy

Data residency defaults to US regions. Enterprise customers can configure residency to the EU or other supported regions through project policy, and Zumik does not process or store customer data outside the configured region without explicit consent. See GDPR and CCPA for residency and subject rights, and regional policy for the routing controls.

Non-essential processing is off until you opt in. Analytics consent defaults to off, Do-Not-Sell is always honored, and Global Privacy Control browser signals are honored at the edge. Consent changes are written to the audit log so the choice is provable.

On this page